Hi,
What is the smartest way to collect the login/logout accesses from a ms sql server without using the add-on or the dbconnect app?
The version of ms-sql is s 64bit standard edition (in fact, I found out auditing is not available in this edition).
I was thinking of putting a inputs.sonf in a Splunk fw and then deploy the app to ms sql servers, but I am nit sure about the stanzas to define there...
Thanks for any suggestion,
Skender
I haven't a Standard Edition to test it, but it seems to me that also SE sends logs to Win Event Log Security.
So Event Codes are:
24001 login succeeded
24002 logout succeeded
24003 login failed
Bye.
Giuseppe
Hi All
absolute SPLUNK N00b here so very sorry to resurrect an old thread but did anyone figure this one out? Currently asking myself the same question as @skender27
I have enabled the Logging in SSMS and can actually see the Events from the SA login. My inputs.conf looks as follows
[WinEventLog://Application]
disabled = false
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml = true
index = "my index"
The problem is I see none of the corresponding event IDs for the SA User logins in Splunk (18453, 18454 , 18456). Any ideas or tips would be much appreciated?
cheers
Oli
I haven't a Standard Edition to test it, but it seems to me that also SE sends logs to Win Event Log Security.
So Event Codes are:
24001 login succeeded
24002 logout succeeded
24003 login failed
Bye.
Giuseppe
Hi Giuseppe,
You are right, but some versions of MS-SQL servers sent logs with EventCodes to the Windows:Application channel and not Windows:Security (the codes I verified were: 18453, 18454 , 18456).
Anyway, your suggestion was correct!
Thanks,
Skender
Ok, I cannot try this right now, but I just put into the inputs.conf (deployed via FW app):
[WinEventLog://Security]
start_from = oldest
checkpointInterval = 5
disabled = 0
index = my_ms_sql
whitelist = 24001-24003
Should it be fine?
Skender
Hi Giuseppe,
I have had no chance to test it yet, but I will let you know as soon as possible.
Thanks for the Event Codes!
Skender